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EUROPEAN COMMISSION 


PROTECTION OF YOUR PERSONAL DATA 


This privacy statement provides information about 
the processing and the protection of your personal data 


Processing operation: Social Media Use by the European Commission 
Data Controller: Directorate-General for Communication, Directorate A, Unit A.1. 


Record reference: DPR-EC-00073 
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Contact information 


10. Where to find more detailed information? 


I; 


Introduction 


The European Commission (hereafter ‘the Commission’) is committed to protecting your 
personal data and to respecting your privacy. The Commission collects and further 
processes personal data pursuant to Regulation (EU) 2018/1725 of the European Parliament 


and of the Council of 23 October 2018 on the protection of natural persons with regard to 
the processing of personal data by the Union institutions, bodies, offices and agencies and 
on the free movement of such data (repealing Regulation (EC) No 45/2001). 


This privacy statement explains the reasons for the processing of your personal data, the 
way we collect, handle and ensure protection of all personal data provided, how that 
information is used and what rights you have in relation to your personal data. It also 
specifies the contact details of the responsible Data Controller with whom you may exercise 
your rights, the Data Protection Officer and the European Data Protection Supervisor. 


This privacy statement concerns the processing of personal data by the Commission when 
managing its social media presence and related communication activities, administered by 
the Directorate-General for Communication, Unit A.1. (COMM.A.1) and by the units 
responsible for dealing with processing activities related to the said initiatives in the 
competent Commission department or service. 


Why and how do we process your personal data? 


The purpose of the processing is to facilitate online communication activities lead by the 
Commission through commonly used social media platforms, and to analyse how social 


media users react to the EU policies and initiatives. The processing of personal data by the 
Commission follows user’s voluntary registration, which is subject to the terms and 
conditions of a social media platform in question. 


The Commission relies on the third-party providers (e.g. Brandwatch, Vizia, Socialbakers) to 

aggregate and visualise publicly available data gathered through the social media networks. 

The aggregated data is used for the communication activities, such as coordinating social 

media presence, sending e-mails and invitations (this entails the management of contact 

lists for correspondence), statistical and analytical purposes, as well as the promotion of the 

Commission’s communication campaigns and related activities. That can be achieved 

through: 

e Engaging: interacting with social media users and responding to their queries; 

e Advertising: raising awareness about the EU policies and the opportunities for the 
participation in the EU decision-making process; 

e identifying and collaborating with influencers (defined by reach, number of followers, 
engagement and topic) who can promote Commission’s activities online; 

e Reporting and optimisation: analysing performance of posts and improving 
Commission’s online communication and engagement on social media. 


The Commission relies on the commonly used social media platforms to publish information 
about the EU policies, raise awareness about the Commission initiatives and engage directly 
with citizens by replying to their comments and questions. 


It is important to note that the ideas and views expressed by the Commission on social 
media are for information purposes only. No communication through social media shall be 


deemed to constitute legal or official notice on behalf of the Commission. While operating 
in the social media environment the Commission strives to ensure that adequate and 
specific safeguards are implemented for the processing of personal data, in line with the 
applicable data protection legislation. 


Your personal data will not be used for automated decision-making including profiling. 


3. On what legal ground(s) do we process your personal data? 


We process your personal data, because: 


1) processing is necessary for the performance of a task carried out in the public interest 
or in the exercise of official authority vested in the Union institution or body (Article 
5(1)(a) of Regulation (EU) 2018/1725) 


The personal data processing linked to the qualitative media monitoring analysis, 
including social media, as well as operating and maintenance of the Commission's social 
media presence are necessary for the performance of the Commission’s tasks carried 
out in the public interest,, as mandated by the treaties, and more specifically Article 5 of 
TEU, Article 13 TEU and Articles 244-250 TFEU, and in accordance with Article 1 and 
Article 11 of TEU. 


Informing the broad public and qualitative media monitoring, including monitoring and 
analysis of social media activities is a public service task resulting from the European 
Commission's own prerogatives at institutional level, as provided for in Article 58 (2) (d) 
of Regulation (EU, Euratom) 2018/1046 of the European Parliament and of the Council 
of 18 July 2018 on the financial rules applicable to the general budget of the Union, 
amending Regulations (EU) No 1296/2013, (EU) No 1301/2013, (EU) No 1303/2013, (EU) 
No 1304/2013, (EU) No 1309/2013, (EU) No 1316/2013, (EU) No 223/2014, (EU) No 
283/2014, and Decision No 541/2014/EU and repealing Regulation (EU, Euratom) No 
966/2012 (OJ L 193, 30.7.2018, p. 1). 


2) processing is necessary for the performance of a contract to which the data subject is 
party or in order to take steps at the request of the data subject prior to entering into a 
contract (Article 5(1)(c) of Regulation (EU) 2018/1725) 


The processing is necessary for the purpose of fulfilling contractual obligations 
stemming from the framework contracts for Software for Innovation, Diversity and 
Evolution, as well as for the Data Science, concluded between the Commission and its 
contractors. 


4. Which personal data do we collect and further process? 


Depending on the circumstances and, on the social media platform in question, the 
Commission or its processors may collect and further process the following categories of 
data: 


1) Personal data derived from the user profiles: 
- identification data: name and surname, username, user identification, geographical 
area, age, gender and other personal characteristics such as the marital status, 
nationality 


- professional and educational background: occupation, employment history, 
academic record etc. 

- online identifiers: device ID, IP address and/or cookie identifier 

2) Personal data available about users of social media platforms through their networks 
and connections: engagement, reach and sentiment, comments, shares of users on a 
specific topic, networks and connections 

3) Unsolicited personal data processed via third-party platform, app or a website 
(connected to social media platform) that may be obtained when a user visits or uses 
their services 

4) Personal data available via audiovisual content that might be published on the social 
media platforms: information in or about the content provided by a user (e.g. 
metadata), such as the location of a photo or the date a file was created, voice 
recordings, video recordings, or an image of a data subject 

5) The categories of data processed by the EU Login application are described in the record 
of DIGIT (DPR-EC-03187) 

6) The categories of data processed by Smarp are described in the record of DGCOMM 
(DPR-EC-02095.1) 

7) The categories of data processed via EC audio-visual services are described in the record 
of DGCOMM (DPR-EC-00074.1) 


When you access a Commission website, the Commission receives as an essential technical 
requirement the IP address and/or the device ID of the device used to access the website. 


Without this processing you will not be able to establish a technical connection between 
your devices and the server infrastructure maintained by the Commission and therefore you 
will not be able to access the websites of the Commission. 


The Data Controller may share aggregate or de-identified information with other 
Commission Directorates and/or other EU institutions for archiving, scientific research or 
statistical purposes. 


How long do we keep your personal data? 


The Data Controller only keeps your personal data for the time necessary to fulfil the 
purpose of collection or further processing. 


5.1. Personal data derived from the user profiles and related personal data available 
through users’ networks and connections (including unsolicited data) 


After initially being processed by the Data Controller or its processors, personal data may be 
stored for a maximum period of 5 (five) years or, until a user deletes a social media account. 
Only aggregated and numeric values for performance measurement will be stored by the 
Data Controller in order to preserve capability to provide intra-mandate reports. 


Please be advised that the retention period is only an estimate and, it may vary depending 
on the nature of the data, why it is collected and processed, and relevant retention 
requirements prescribed by law. 


5.2. Personal data available via audio-visual content 


Selected audiovisual content may be archived for permanent preservation, in line with the 
provisions of the Common Commission Level Retention List (SEC(2019)900/2), for historical 
purposes to document, preserve and make available the history and audio-visual heritage of 
the Commission and the European Union. 


5.3. Reports, paper and electronic records, including ARES records kept by DG COM 


All paper and electronic records concerning the day-to-day correspondence, calls for 
proposals and/or interest together with the resulting contractual/financial files as well as 
reports containing aggregated data will be archived according to the Common Commission 
Level Retention List (SEC(2019)900/2) and stored in ARES (Advanced Records System) under 
the responsibility of Secretariat-General (see Notification DPO-1530.4) for a period of 10 
(ten) years with the application of sampling and selection techniques. 


How do we protect and safeguard your personal data? 


All personal data in electronic format (e-mails, documents, databases, uploaded batches of 
data, etc.) are either on the servers of the European Commission (located on the premises 
of the Directorate-General in Brussels and in the DGDIGIT datacentre in Luxembourg), or of 
its contractors, all inside the EU. All processing operations are carried out pursuant to the 
Commission Decision (EU, Euratom) 2017/46 of 10 January 2017 on the security of 


communication and information systems in the Commission. 


The Commission’s contractors are bound by a specific contractual clause for any processing 
operations of personal data on behalf of the Commission, and by the confidentiality 
obligations deriving from the Regulation (EU) 2016/679 of the European Parliament and of 


the Council of 27 April 2016 on the protection of natural persons with regard to the 
processing of personal data and on the free movement of such data (GDPR). 


In order to protect your personal data, the Commission has put in place a number of 
technical and organisational measures. Technical measures include appropriate actions to 
address online security, risk of data loss, alteration of data or unauthorised access, taking 
into consideration the risk presented by the processing and the nature of the personal data 
being processed. Organisational measures include restricting access to personal data solely 
to authorised persons with a legitimate need to know for the purposes of this processing 
operation. 


Who has access to your personal data and to whom is it disclosed? 


Access to your personal data is provided to the authorised personnel of the EU institutions 
and its contractors responsible for carrying out this processing operation according to the 
“need to know” principle. Such staff abide by statutory, and when required, additional 
confidentiality agreements. 


Authorised staff of the Directorate-General for Communication responsible for qualitative 
media monitoring and social media presence of the Commission have access to the 
aggregated data provided by the users of social media platforms and related personal data 
available through their networks and connections, including any additional information 
published on a website or on a third-party platform that is being analysed. 


The external service providers, including contractors under the framework Contract have 
access to the personal data derived from the user profiles and related personal data 
available through users’ networks and connections for the purpose of performing their 
contractual obligations with respect to the Commission. That includes any related 
information published on a website or on a third-party platform that is being analysed as 
well as to the parts of volume of coverage related to the EU or to their campaigns. For 
outreach actions with influencers by different services of the European Commission, the 
need to share data about the influencers’ reach, engagement, or the number of posts is 
required. 


7.1. Third party IT tools & Social Media platforms 


For statistical and analytical purposes, the Commission collects and analyses aggregated 
data about the relevant users of social media platforms. In order to gather and visualise 
aggregated data for statistical research, the Commission relies on the GDPR-compliant 
media monitoring tools, which produce the reports and analyse aggregated data from the 
Commission’s corporate social media channels (e.g. Brandwatch, Vizia, Socialbackers). Only 


information that is publicly available will processed and analysed (that may include, the data 
from public posts by social media users on different social media channels, including 
forums, blogs and news). 


Furthermore, the Commission may use third party IT tools to inform about and promote the 
EU’s activities through widely used communication channels. 


For example, you may be able to watch our videos, which may be also uploaded to one of 
our social media pages and follow links from our website to other relevant social media. 


In order to protect your privacy, our use of third party IT tools to connect to those services 
does not set cookies when our website pages are loaded on your computer (or other 
devices), nor are you immediately redirected to those social media or other websites. Only 
in the event that you click on a button or “play” ona video to watch it, a cookie of the social 
media company concerned will be installed on your device. If you do not click on any social 
media buttons or videos, no cookies will be installed on your device by third parties. 


In order to view such third-party content, a message will alert you that you need to accept 
those third parties’ specific Terms and Conditions, including their cookie policies, over which 
the Commission has no control. 


We recommend that users carefully read the relevant privacy policies of the social media 
tools used. These explain each company’s policy of personal data collection and further 
processing, their use of data, users' rights and the ways in which users can protect their 
privacy when using those services. 


The use of a third party IT tool does not in any way imply that the European Commission 
endorses them or their privacy policies. In the event that one or more third party IT tools 
are occasionally unavailable, we accept no responsibility for lack of service due to their 
downtime. 


The information we collect will not be given to any third party, except to the extent and for 
the purpose we may be required to do so by law. 
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What are your rights and how can you exercise them? 


You have specific rights as a ‘data subject’ under Chapter III (Articles 14-25) of Regulation 

(EU) 2018/1725. As regards this processing operation, you can exercise the following rights: 

- the right to access your personal data (Article 17 of Regulation (EU) 2018/1725); 

- the right to rectification in the case that your personal data is inaccurate or incomplete 
(Article 18 of Regulation (EU) 2018/1725); 

- the right to erasure of your personal data (Article 19 of Regulation (EU) 2018/1725); 

- where applicable, the right to restrict the processing of your personal data (Article 20 of 
Regulation (EU) 2018/1725); 

- the right to data portability (Article 22 of Regulation (EU) 2018/1725); 

- and the right to object to the processing of your personal data, which is lawfully carried 
out pursuant to Article 5(1)(a). 


You can exercise your rights by contacting the Data Controller, or in case of conflict, the 
Data Protection Officer. If necessary, you can also address the European Data Protection 
Supervisor. The contact information can be found under Section 9. 


Where you wish to exercise your rights in the context of one or several specific processing 
operations, please provide their description (i.e. Record reference(s) as specified under 
Section 10) in your request. 


Contact information 


The Data Controller 

If you would like to exercise your rights under Regulation (EU) 2018/1725, or if you have 
comments, questions or concerns, or if you would like to submit a complaint regarding the 
collection and use of your personal data, please feel free to contact the Data Controller, 
Directorate-General for Communication, Unit A.1. (COMM-SOCIAL-MEDIA- 
TEAM @ec.europa.eu) 


The Data Protection Officer (DPO) of the Commission 

You may contact the Data Protection Officer (DATA-PROTECTION-OFFICER@ec.europa.eu) 
with regard to issues related to the processing of your personal data under Regulation (EU) 
2018/1725. 


The European Data Protection Supervisor (EDPS) 
You have the right to have recourse (i.e. you can lodge a complaint) to the European Data 
Protection Supervisor (edps@edps.europa.eu) if you consider that your rights under 


Regulation (EU) 2018/1725 have been infringed as a result of the processing of your 
personal data by the Data Controller. 


Where to find more detailed information? 


The Commission Data Protection Officer (DPO) publishes the register of all processing 
operations on personal data by the Commission, which have been documented and notified 
to him. You may access the register via the following link: http://ec.europa.eu/dpo-register. 


This specific processing operation has been included in the DPO’s public register with the 
following Record reference: DPR-EC-00073 


